Security systems have been provided for real-time analysis of network flows to identify possible attacks or intrusions. For example, co-pending U.S. patent application Ser. No. 09/615,676, entitled SYSTEM AND METHOD FOR TRACKING THE SOURCE OF A COMPUTER ATTACK and incorporated herein by reference above, describes several embodiments of such a system. Such systems may employ a software process, referred to as a “sniffer” process in the above-referenced application, to analyze network flows in an effort to identify possible security-related events that may warrant further analysis or responsive action. One approach, described for example in the above-referenced application, is to analyze network flows for patterns or “signatures” that are associated with known types of attacks. Another approach, described for example in co-pending U.S. patent application Ser. No. 09/964,272 entitled SYSTEM AND METHOD FOR ANALYZING PROTOCOL STREAMS FOR A SECURITY-RELATED EVENT and incorporated herein by reference above, is to model normal and permissible network protocol behavior so that deviations from such normal and permissible flows may be detected. Still other systems may try to match network traffic with a set of stored signatures associated with a particular prior intrusion or type of intrusion or attack, such as a system of the type describe in U.S. Pat. No. 5,557,742, entitled, METHOD AND SYSTEM FOR DETECTING INTRUSION INTO AND MISUSE OF A DATA PROCESSING SYSTEM.
In many applications, speed of analysis is an important performance criterion for such systems. For example, an internal corporate network connected to an external network such as the Internet, or a system or set of systems used to provide a website via the Internet, may receive a huge volume of network traffic in a short period of time. In addition, multiple different host systems may connect via the external network to the internal network or system, each connection effectively representing a “conversation” carried on by exchanging numerous data packets between the participating host systems. A security system deployed to protect such a network or system against attack must be able to process in a timely manner the many data packets received via the external network as part of these various conversations.
One way to improve the speed and performance of a security system such as described above would be to employ a multi-processor system. Such systems comprise more than one microprocessor, each one being configured to operate independently of the others. As a result, in such a system multiple processors may operate in parallel, increasing the speed with which operations may be performed. However, to use such a multi-processor system for network flow analysis, it is necessary to ensure that the packets associated with a particular connection between an external host system and a protected internal host system are all routed to the same processor, so that that processor will have all of the data packets needed to analyze the flow of packets on that connection. In addition, the packets for a particular connection must all be routed to the same processor in a manner that maximizes the speed advantage that it is possible to attain through use of a multi-processor system, such as by maximizing the extent to which analysis of multiple connections may occur concurrently.